This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: sshd, /etc/hosts.allow, & Alternate Access Methods


On Thu, 23 Feb 2006, Tim Daneliuk wrote:

> Is anyone familiar with alternate access methods as they apply to
> cygwin? If I edit /etc/hosts.allow, the alternate access method
> (indicated by a '+' in an 'ls -l' listing) gets lost. Thereafter
> /etc/hosts.allow is no longer properly observed by sshd - it makes ssh
> logins impossible from anything other than localhost.

Cygwin isn't ACL-aware, and file creation operations don't retain the
original ACLs -- Cygwin constructs them anew to reflect the permission
mapping.  See <http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-files>.
To make sure you keep the ACLs, use an editor that edits files in-place,
rather than making a copy (e.g., vim).

> So ... how do I edit /etc/hosts.allow and retain the alternate access
> method that appears to be crucial for proper sshd operation?

The alternate access method is not crucial.  What's crucial is that the
files should be a) readable by SYSTEM, and b) not group/world-readable.
To accomplish this, "chown SYSTEM.SYSTEM /etc/hosts.{allow,deny} && chmod
600 /etc/hosts.{allow,deny}" (this is more secure, anyway).  No need for
an alternate method.  You can then temporarily chown them to your userid
or "chmod a+w" for editing (restoring the owner/permissions afterwards).

> P.S. Notice that merely copying the originally installed hosts.allow to
>      a backup copy causes the alternate access method to be lost:

Same reason -- Cygwin isn't really ACL-aware.  You can also restore the
original ACLs by running something like "getfacl hosts.allow | setfacl -f
- hosts.allow.orig" (assuming the owner stays the same).

> -rwx------+ 1 tundra None  200 Feb 23 00:15 hosts.allow
> -rwx------  1 tundra None  200 Feb 23 00:15 hosts.allow.orig
> -rwx------+ 1 tundra None  407 Feb 23 00:15 hosts.deny

These files should really be owned by SYSTEM (or whatever user sshd runs
as).
HTH,
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_	    pechtcha@cs.nyu.edu | igor@watson.ibm.com
ZZZzz /,`.-'`'    -.  ;-;;,_		Igor Peshansky, Ph.D. (name changed!)
     |,4-  ) )-,_. ,\ (  `'-'		old name: Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends compte."
"But no -- you are no fool; you call yourself a fool, there's proof enough in
that!" -- Rostand, "Cyrano de Bergerac"

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]